Spyware Company Exposed ‘281 Gigabytes’ of Children’s Photos Online

Consumer spyware company Family Orbit confirmed that it left its cloud storage servers vulnerable to hackers.

This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.

A company that sells spyware to parents left the pictures of hundreds of monitored children online, only protected by a password that almost anyone could find, according to a hacker.

Advertisement

The hacker, who’s mainly known for having hacked spyware maker Retina-X, wiping its servers (twice), said he was able to find the key to the cloud servers of Family Orbit, a company that that markets itself as “the best parental control app to protect your kids.” The servers contained the photos intercepted by the spyware, according to the hacker. The company confirmed the breach to Motherboard.

“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer's desktops which exposed passwords and other secrets,” the hacker told me in an online chat.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

The company left exposed 3,836 containers on Rackspace with 281 gigabytes of pictures and videos, the hacker said. The hacker shared screenshots showing he had access to the folders. Motherboard was also able to verify the breach after the hacker shared a sample of users. We verified that those were active users by attempting to register to the service using those email addresses. With all the six emails, the site said the addresses were already in use.

A representative of Family Orbit confirmed to Motherboard that the API key is stored encrypted in the app, and that the company observed “unusual bandwidth” used in their cloud storage.